Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime

San Francisco - A federal appeals court today rejected a dangerous interpretation of the federal anti-hacking law, dismissing charges that would have criminalized any employee's use of a company's computers in violation of corporate policy.

The Electronic Frontier Foundation (EFF) filed an amicus brief in this case, U.S. v. Nosal, urging the court to come to this conclusion as part of its ongoing work to ensure fair application of the federal Computer Fraud and Abuse Act (CFAA).

"Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," said the opinion by Chief Judge Alex Kozinski of the 9th U.S. Circuit Court of Appeals.

In Nosal, the government prosecuted an ex-employee of an executive recruiting firm on the theory that he induced current company employees to use their legitimate credentials to access a proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of policy constituted a violation of the CFAA, a law with criminal penalties.

EFF argued in its amicus brief that turning mere violations of company policies into computer crimes could potentially create a massive expansion of the law – making millions of law-abiding workers criminals for innocent activities like sending a personal e-mail or checking sports scores from a work computer, and leaving them vulnerable to prosecution at the government's whim. The court agreed in an en banc decision, replacing a ruling last year in which a three-judge panel found that disloyal employees who breach computer use policies run afoul of the CFAA.

"We shouldn't have to live at the mercy of our local prosecutor," said the opinion. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com."

"This is an important victory for all Americans who use computers at work," said EFF Senior Staff Attorney Marcia Hofmann. "Violating a private computer use policy shouldn't be crime, just as violating a website's terms of use shouldn't be a crime. These policies are often vague, arbitrary, confusing and contradictory. Putting people on the hook for criminal liability when they violate these agreements would leave millions of law-abiding computer users vulnerable to federal prosecution."

"EFF has been fighting these aggressive government hacking arguments for years," said EFF Staff Attorney Hanni Fakhoury. "We're happy to see the court recognize that the government overreached here, and it issued a thoughtful decision that protects the rights of users."

The recent arrest of Wikileaks editor Julian Assange surprised many by hinging on one charge: a Computer Fraud and Abuse Act (CFAA) charge for a single, unsuccessful attempt to reverse engineer a password. This might not be the only charge Assange ultimately faces. The government can add more...

While the indictment of Julian Assange centers on an alleged attempt to break a password—an attempt that was not apparently successful—it is still, at root, an attack on the publication of leaked material and the most recent act in an almost decade-long effort to punish a whistleblower and the...

When is software free? Is it enough that the software be licensed under a free or open license? What about patents? Software as a service? Trade secrets? What about DRM? Is software ever free? There's a saying in the software freedom movement: "if you can't open it, it's not yours....

EFF is introducing a new Coders' Rights project to connect the work of security research with the fundamental rights of its practitioners throughout the Americas. The project seeks to support the right of free expression that lies at the heart of researchers' creations and use of computer code to...

Have you ever wanted to talk with the Electronic Frontier Foundation about the risks of talking in public about security issues, especially in connected Internet of Things devices? Tomorrow, you'll get your chance. Information security has never been more important: now that everything from a car to a voting...

Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as...

Update: Canadian authorities announced on May 7 that they dropped all charges against the teen they had previously accused of unauthorized use of a computer service for downloading public records from a government website. Canadian authorities should drop charges against a 19-year-old Canadian accused of “unauthorized use of...

For tech lawyers, one of the hottest questions this year is: can companies use the Computer Fraud and Abuse Act (CFAA)—an imprecise and outdated criminal anti-“hacking” statute intended to target computer break-ins—to block their competitors from accessing publicly available information on their websites? The answer to this question has wide-ranging...

Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail. EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon as...